From e0b7adf51e3e41e67a8bed130d98949bf5428b1f Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Mon, 24 Feb 2025 11:46:52 +0800 Subject: [PATCH] fix CVE-2024-56171, CVE-2025-24928, CVE-2025-27113 --- backport-CVE-2024-56171.patch | 41 ++++++++++++++++++++++++++ backport-CVE-2025-24928.patch | 55 +++++++++++++++++++++++++++++++++++ backport-CVE-2025-27113.patch | 31 ++++++++++++++++++++ libxml2.spec | 13 ++++++++- 4 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-56171.patch create mode 100644 backport-CVE-2025-24928.patch create mode 100644 backport-CVE-2025-27113.patch diff --git a/backport-CVE-2024-56171.patch b/backport-CVE-2024-56171.patch new file mode 100644 index 0000000..96a2ab1 --- /dev/null +++ b/backport-CVE-2024-56171.patch @@ -0,0 +1,41 @@ +From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 10 Dec 2024 16:52:05 +0100 +Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after + xmlSchemaItemListAdd + +xmlSchemaItemListAdd can reallocate the items array. Update local +variables after adding item in + +- xmlSchemaIDCFillNodeTables +- xmlSchemaBubbleIDCNodeTables + +Fixes #828. +--- + xmlschemas.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/xmlschemas.c b/xmlschemas.c +index d276faf10..28b14bd44 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -23388,6 +23388,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt, + } + if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1) + goto internal_error; ++ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items; + /* + * Remove the duplicate entry from the IDC node-table. + */ +@@ -23604,6 +23605,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt) + goto internal_error; + } + xmlSchemaItemListAdd(parBind->dupls, parNode); ++ dupls = (xmlSchemaPSVIIDCNodePtr *) ++ parBind->dupls->items; + } else { + /* + * Add the node-table entry (node and key-sequence) of +-- +GitLab + diff --git a/backport-CVE-2025-24928.patch b/backport-CVE-2025-24928.patch new file mode 100644 index 0000000..8f7a861 --- /dev/null +++ b/backport-CVE-2025-24928.patch @@ -0,0 +1,55 @@ +From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 11 Feb 2025 17:30:40 +0100 +Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in + xmlSnprintfElements + +Fixes #847. +--- + valid.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/valid.c b/valid.c +index 76d657d62..abefdc50a 100644 +--- a/valid.c ++++ b/valid.c +@@ -5268,26 +5268,26 @@ + return; + } + switch (cur->type) { +- case XML_ELEMENT_NODE: ++ case XML_ELEMENT_NODE: { ++ int qnameLen = xmlStrlen(cur->name); ++ ++ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) ++ qnameLen += xmlStrlen(cur->ns->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ if ((size - len > 4) && (buf[len - 1] != '.')) ++ strcat(buf, " ..."); ++ return; ++ } + if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { +- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) cur->ns->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(cur->name) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + if (cur->name != NULL) + strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; ++ } + case XML_TEXT_NODE: + if (xmlIsBlankNode(cur)) + break; +-- +GitLab diff --git a/backport-CVE-2025-27113.patch b/backport-CVE-2025-27113.patch new file mode 100644 index 0000000..89710c0 --- /dev/null +++ b/backport-CVE-2025-27113.patch @@ -0,0 +1,31 @@ +From 503f788e84f1c1f1d769c2c7258d77faee94b5a3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 13 Feb 2025 16:48:53 +0100 +Subject: [PATCH] pattern: Fix compilation of explicit child axis + +The child axis is the default axis and should generate XML_OP_ELEM like +the case without an axis. +--- + pattern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pattern.c b/pattern.c +index 55ae2d3e5..b0f7f1601 100644 +--- a/pattern.c ++++ b/pattern.c +@@ -1164,10 +1164,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) { + goto error; + } + } else { +- PUSH(XML_OP_CHILD, token, URL); ++ PUSH(XML_OP_ELEM, token, URL); + } + } else +- PUSH(XML_OP_CHILD, name, NULL); ++ PUSH(XML_OP_ELEM, name, NULL); + return; + } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) { + XML_PAT_FREE_STRING(ctxt, name) +-- +GitLab + diff --git a/libxml2.spec b/libxml2.spec index a99520d..3d93570 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ Summary: Library providing XML and HTML support Name: libxml2 Version: 2.9.14 -Release: 14 +Release: 15 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz @@ -224,6 +224,9 @@ Patch6199: backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch Patch6200: backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch Patch6201: backport-CVE-2024-34459.patch Patch6202: backport-xpath-Fix-build-without-LIBXML_XPATH_ENABLED.patch +Patch6203: backport-CVE-2024-56171.patch +Patch6204: backport-CVE-2025-24928.patch +Patch6205: backport-CVE-2025-27113.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: python3-devel @@ -381,6 +384,14 @@ rm -fr %{buildroot} %changelog +* Mon Feb 24 2025 Funda Wang - 2.9.14-15 +- Type:CVE +- CVE:CVE-2024-56171 +- CVE:CVE-2025-24928 +- CVE:CVE-2025-27113 +- SUG:NA +- DESC: fix CVE-2024-56171, CVE-2025-24928, CVE-2025-27113 + * Wed Jun 26 2024 zhuofeng - 2.9.14-14 - Type:bugfix - CVE:NA -- Gitee